I am currently working on a small website. To make it look more legitimate and professional I'd like to have a green lock with my name on it in the browsing bar (EV SSL certificate). Have 2 .pem files for normal and EV SSL certificates created. The thing is: I don't know how to continue. I searched through like 50 threads on several forums including StackOverflow and haven't found anything really useful. Something was said about modifying the openssl config here, but I really don't know how the thread creator got these flags so I didn't even try them because they probably won't work anyways.
I'd really appreciate help.
You cannot generate a certificate self-signed or signed by your own CA which is treated as EV certificate by unmodified browsers. Certificates are marked as EV by having OID in the certificate which are specific to the issuing certificate authority. Which authorities can issue EV certificates and which OID they use is hard coded into the browsers, i.e. you would need to change the source code and recompile the browsers to accept EV issued by your own CA.
For more information see Can I build my own Extended Validation SSL certificate? or How to generate self-signed EV SSL Certificate?.
Related
I've been googling like mad trying to figure this out, but the answer doesn't seem to be clear, or at least, it seems like there are contradictory answers.
I'm tasked with setting up an Apache web server with 2Way SSL authentication. We use verisign to get our certificates, so we have a certificate for the web instance with the correct hostname details, signed by verisign, and an intermediate certificate from verisign. This all works very well.
Now, we need to set up a 2Way SSL connection. The initial expectation is that the client will manage their own certificates, and provide them to us for authentication. More than one client may be connecting, and they should each have access to different resources when they connect.
From what I've read, I'm not sure how this would be done...
This is a pretty good overview, but in this situation, they are using self-signed certificates: https://security.stackexchange.com/questions/34897/configure-ssl-mutual-two-way-authentication
Using these details, it would seem like we would have to make the trusted CA point to the certificate authority that signs the client's certificate.
Is it possible to use the client certificate as the trusted CA (even though it isn't self signed, but signed by a CA) or would we have to put a trusted CA from their signer (and at that point, would a CA bundle that includes all the client certificate authority CAs work?) on the server and then use the SSLRequire statements to limit access to specific details of the certificate?
As a followup, can we use the SSL Certificate that we get from verisign to sign client certificates?
So, after several more hours on google, and some testing, I was able to figure out what I needed to.
If I want to use a certificate signed by verisign or some other public CA, I would have to copy their public intermediate certificate (the one that they use to sign the client certs) to my server and specify it as the SSLCACertificateFile in the configuration. The caveat is that then any cert signed by that CA would be accepted, and that's where the SSLRequire directives can used to narrow that down to specific certificates.
Using the SSLVerifyClient optional_no_ca directive would make it assume that the cert is trusted, even if it isn't, and then I would have to use SSLRequire directives to verify the details are correct, however, anybody could create and sign their own certificate with those details and there would be no way to tell.
Creating my own self signed CA certificate, and then using that to sign the client certificates and issuing them to the clients is the only way to both ensure that the cert isn't a forgery and not requiring SSLRequire directives to ensure that only the people that I specify can connect.
Please comment/correct me if I'm wrong on any of this.
Use:
SSLVerifyClient optional_no_ca
In your Apache config. This will request the client certificate but not validate it against a CA. It will then be up to your local script to examine the resulting environment variables set by Apache such as 'SSL_SERVER_S_DN' and decide whether to allow the request or not.
These mod_ssl environment variables are also what your code needs to look at when determining what resources the client can access.
The full documentation is here mod_ssl although you probably found that already.
A note on client certificates. If you did want to use a CA and leave it to the clients, they may all use different CA's and you would have a job maintaining them all on your server. It would be much better to trust a single CA.
The advantage would be that then you could use the build in SSL support to do all your certificate checks and not write your own solution.
You could enforce a single CA by specifying an on-line provider and using email signing certificates to identify clients. These would work fine, just the Certificate Subject would be an email address instead of a domain name.
Or you could set up your own CA and sign client certificates yourself. This is not too difficult and gives you complete control. Either route would require you to add the CA root certificate (plus intermediates) to a file Apache can read and point 'SSLCACertificateFile' to it.
Generating a CSR needs the server-name, organization, country etc. The server-name is used in SSL to make sure the server you are talking to is the server which was certified. Question is (1) what is the relevance of server-name if I use a certificate for code-signing?
Code signing certificates are different from SSL certificate only in flags. Rest is all the same. Now if I take a SSL certificate issued to foo.com and install it on bar.com then it wont work. What about code signing certificate? If a take a code signing certificate issued to foo.com and install it on bar.com and sign DLLs or JARs from there, then would there be any problem (2)?
I guess there should not be any. I do not have such a certificate so I cant test it, but by theory should there be any problem?
what is the relevance of server-name if I use a certificate for code-signing?
there are no dependencies. However, proper subject field will help to identify the original publisher.
then would there be any problem
no. There is no other subject name to compare. For code signing certificates, subject may be any, it must be just descriptive.
I have installed a ssl certificate via WHM on one of my domain. Site is working with https://xyz.com.
However it is not working with https://www.xyz.com. I have checked the certificate and it is for www version as well. After some research it appears to be incomplete chain issue. I had no idea how to resolve this. Please help.
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver
A certificate authority is supposed to verify a website is truly who they say they are, right. But certificate authorities sign there own certificates. So those certs are self signed. Is there a way I can find out if the self signed certificates they use on their website is reputable and trustable?
You have to trust the CA who issued the certificate. Otherwise, we encounter the classic chicken-egg problem where there is no concrete boundary for trust and certainty.
Once you trust the CA issuer, you can check whether the certificate you have was actually issued by the concerned CA by writing the following on a command line:
$ openssl verify -verbose -CAfile cacert.pem server.crt
Expected Output: server.crt: OK
If you get any other message, the certificate was not issued by that CA.
Visit https://kb.wisc.edu/middleware/page.php?id=4543 for more info
No, you just trust them! The most common way is to follow the herd... for example, extracting them from the browsers (http://curl.haxx.se/docs/caextract.html). We are always assuming the browsers are verifying it for us... as well as the operating systems...
Is there a way [you] can find out if the self signed certificates they use
on their website is reputable and trustable?
You can research the certificate authority yourself.
Some people may not trust a certificate authority, including Google. Google posted a list of authorities they did not trust back in May of 2016:
https://www.theregister.co.uk/2016/03/23/google_now_publishing_a_list_of_cas_it_doesnt_trust/
You either have to trust that the pre-installed certificates that came with your tools (web browser, etc) are trusted by the producers of those tools, or you can do some research and see if you really trust them yourself. It's basically like asking how you can trust anyone or anything. Can I trust you?
I trust the CA's that come installed with my browser because well, if I can't trust them then we all have a problem and that problem is bigger than me. I think it's good to ask questions like this and I wonder if anyone other than Google are questioning certificate authorities.
I am studying SSL and X.509 certificates. I am trying to create a CA certificate from scratch and use it to sign another custom server certificate. Then, I install the CA certificate in the Firefox certificate manager. Everything works fine, and I am even able to connect to the server with my own certificate. But I can't build an EV certificate (i.e. my Firefox address bar stays blue, not green).
So, the question is: can someone please give me a hint which are the distinctive qualities of the EV CA and server certificates that make Firefox trust them?
You can not build an EV certificate. The EV certificate is different from regular certificate by custom extension (policy ID extension), which is placed by existing CAs to their certificates. The browser checks both the extension (whether it is present in the list of policy IDs, known to belong to EV certificates) and the issuer field and they must match. If you try to use policy ID of existing company, I believe the browser won't accept it/.